Emotet, Trickbot and Ryuk – are these the worst threesome since computer viruses started?

Author
Stefan Rothenbühler
Published
08. August 2019

What links today's most common viruses Emotet, Trickbot and Ryuk? They like to pop up together
– and as a result, can cause considerable damage. In this blog article, me and my Cyber Security analyst team discuss what the trio are all about and how you can protect yourself from this ensemble.

Over the past few months, our cyber security analysts, forensic experts and incident responders at InfoGuard have been repeatedly confronted with these three viruses – including the Offix case, which has recently been covered in the media. Our team was always on hand to work with customers to get IT operations up and running again as quickly as possible as part of Incident Response. We also noticed that Emotet, Trickbot and Ryuk often appear together. Why is this? Each of these players has a different function in the attack, and (unfortunately) they complement each other perfectly.

Step 1: Initial Compromise by Emotet

When Emotet first appeared in 2014, the malware was designed as an e-banking Trojan. Emotet installed itself on the compromised computer system and attempted to access e-banking login data. Today, the speciality of Emotet is initially compromising of systems. The Trojan goes so far as to steal entire e-mail histories and latch into them in order to then spread what is called "malspam" by e-mail. (We have already reported on this topic in detail in this article.) In addition, Emotet can spread further within a company using a variety of methods. Today, Emotet is primarily used as an entry point into a corporate network. This access is then either resold on Darknet or used by attackers to upload additional viruses – usually Trickbot.

Step 2: Spying with Trickbot

Trickbot is also an e-banking Trojan developed in 2016. It steals access data to e-banking accounts via what is known as "WebInjects". WebInjects are code locations that replace original code locations on the real e-banking portal locally in the browser. Trickbot can also steal e-mails and purloin login data from the Windows network using Mimikatz. What we have observed is that the virus has been constantly evolving since it first appeared, always focusing on stealing data. The attackers can sit in a company network and steal data without being detected. The attackers are continuously evaluating this data, which gives them a fairly clear picture of the company, the processes and the internal IT landscape. For example, the cybercriminals learn how much money a company has and the data it depends on. As you can imagine, this information will then be used for the final act of destruction – the attack by Ryuk.

Step 3: Encryption and Ransom Demand with Ryuk

Thanks to Trickbot, the attackers now know the company well enough to launch the final phase with Ryuk. This encryption Trojan specialises in highly targeted attacks. For example, it is now possible to encrypt the data that is particularly worth protecting – the company's crown jewels, as it were. Thanks to Trickbot the attackers are pretty knowledgeable about them. Of course, they also know where the backups for this data are stored and can encrypt them at the same time; and since the attackers also know about the company's financial position, of course, the ransom demands are set as high as possible...

4 Tips so that Emotet, Trickbot und Ryuk don’t have a chance

Unfortunately, cyberattacks by the threesome are often only discovered at the final, most devastating stage. Specifically when the IT systems are at a standstill due to Ryuk's encryption – and unfortunately it is often already too late. If a company has taken inadequate precautions and, for example, has not created an offline backup, the only option is often to pay the ransom to protect the company from disaster – or even financial ruin. But it doesn't have to come to that! Based on our experience, my team and I have summarised the most important learnings for you:

  1. Prevent initial infection: Of course, the best thing is for the infection not to occur in the first place. This is why the main focus is on Step 1 – Emotet. Emotet mainly spreads via e-mails with infected Word documents. We recommend two very effective measures to counteract this. On one hand, limiting macros; on the other hand, security awareness training for employees to sensitise them about how to deal with e-mails.

  2. Offline-Backups: The combination of Emotet, Trickbot and Ryuk together makes them very effective and enables them to launch a targeted attack. The only real survival insurance for companies is to make regular offline backups because offline is the only place cybercriminals can't get to.

  3. Monitoring of endpoints and servers via EDR: Our Incident Response missions always begin by taking back control of every computer and server in the company. We use specialised EDR (Endpoint Detection & Response) solutions, which we install specifically for incident response cases. This enables us to carry out thorough searches of infected systems and clean them up centrally. Ideally, the company has already installed an EDR solution, such as Tanium. This makes early detection of an attack possible, which is rarely an option with conventional signature-based detection mechanisms (antivirus).

  4. Rapid deployment via Incident Response Retainer: Despite the measures mentioned above, it is never possible to completely rule out an incident. Our experience shows that from the moment the attack is discovered to the time it is resolved, what takes the most time is finding the right partner to resolve the problem and enabling them to solve it. Preparing offers, orders and partner accounts, granting access to the systems, the time the partner needs to become familiar with the environment, etc. – all these time factors can be eliminated, or at least reduced, by choosing a suitable partner BEFORE the incident occurs. All the benefits of an Incident Response Retainer can be found here:

Incident Response Retainer

Rely on experienced cyber defence specialists

It is not easy to choose the right service provider. However, the most important thing needed in such complex, targeted attacks is an experience. That is why you can rely on a partner with a proven, experienced team of specialists, such as InfoGuard. We have many years of experience and knowledge in a variety of subject areas and with countless kinds of cyberattacks. At our Cyber Defence Center (CDC) in Baar, we have over 35 employees working to ensure maximum Cyber Security for our customers, 24/7. More information about our Cyber Defence Services can be found here:

Cyber Defence Services

Ultimately what am I getting at? Contact us – and don't wait until it's too late!

Contact

Share article